Fix a bug introduced 9 years ago in patch-sshd.c which has meant that

privilege separation has been disabled all that time.  The logic was changed
such that it was only enabled on Interix, instead of only being disabled on
Interix as originally intended.

While here, pull in patches from MacPorts to enable privsep on Darwin.

Bump PKGREVISION.

11 files changed, 106 insertions, 33 deletions

diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index c2e49ec1411..8f623ef7f06 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.234 2015/07/30 03:20:36 taca Exp $
+# $NetBSD: Makefile,v 1.235 2015/08/14 08:57:00 jperkin Exp $
 
 DISTNAME=		openssh-6.9p1
 PKGNAME=		openssh-6.9.1
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES=		security
 MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 
@@ -140,7 +140,7 @@ CONFIGURE_ARGS+=	--with-xauth=${PREFIX}/bin/xauth
 
 CONFS=			ssh_config sshd_config moduli
 
-PLIST_VARS+=		prng
+PLIST_VARS+=		darwin prng
 
 .if exists(/dev/urandom)
 .  if ${OPSYS} == "NetBSD"
@@ -153,7 +153,14 @@ PLIST.prng=		yes
 .endif
 
 EGDIR=			${PREFIX}/share/examples/${PKGBASE}
-CONF_FILES=		# empty
+
+# enable privsep patches
+.if ${OPSYS} == "Darwin"
+CONF_FILES+=		${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
+CPPFLAGS+=		-D__APPLE_SANDBOX_NAMED_EXTERNAL__
+PLIST.darwin=		yes
+.endif
+
 .for f in ${CONFS}
 CONF_FILES+=		${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
 .endfor
@@ -166,9 +173,9 @@ FILES_SUBST+=		SSH_PID_DIR=${SSH_PID_DIR:Q}
 
 SUBST_CLASSES+=		patch
 SUBST_STAGE.patch=	pre-configure
-SUBST_FILES.patch=	session.c
+SUBST_FILES.patch=	session.c sandbox-darwin.c
 SUBST_SED.patch=	-e '/channel_input_port_forward_request/s/0/ROOTUID/'
-SUBST_MESSAGE.patch=	More patch a file.
+SUBST_VARS.patch=	PKG_SYSCONFDIR
 
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../security/openssl/buildlink3.mk"
@@ -189,6 +196,9 @@ post-configure:
 		${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
 			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
 	fi
+	${SED} -e 's,@VARBASE@,${VARBASE:Q},g' \
+		< ${FILESDIR}/org.openssh.sshd.sb.in \
+		> ${WRKDIR}/org.openssh.sshd.sb
 
 post-install:
 	${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
@@ -199,5 +209,9 @@ post-install:
 	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
 	  ${DESTDIR}${EGDIR}/sshd.pam
 .endif
+.if ${OPSYS} == "Darwin"
+	${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
+		${DESTDIR}${EGDIR}/org.openssh.sshd.sb
+.endif
 
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/openssh/PLIST b/security/openssh/PLIST
index 6aa5f151cb7..ebe150ae24d 100644
--- a/security/openssh/PLIST
+++ b/security/openssh/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.16 2014/03/29 09:38:11 taca Exp $
+@comment $NetBSD: PLIST,v 1.17 2015/08/14 08:57:00 jperkin Exp $
 bin/scp
 bin/sftp
 bin/slogin
@@ -28,6 +28,7 @@ man/man8/ssh-pkcs11-helper.8
 man/man8/sshd.8
 sbin/sshd
 share/examples/openssh/moduli
+${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
 share/examples/openssh/ssh_config
 ${PLIST.prng}share/examples/openssh/ssh_prng_cmds
 ${PLIST.pam}share/examples/openssh/sshd.pam
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index e0a13b26197..3a7fe49d531 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.94 2015/07/30 03:20:36 taca Exp $
+$NetBSD: distinfo,v 1.95 2015/08/14 08:57:00 jperkin Exp $
 
 SHA1 (openssh-6.9p1-hpn-20150709.diff.gz) = a39571c1cdb13382631a1d9cfe89b82fb346c92c
 RMD160 (openssh-6.9p1-hpn-20150709.diff.gz) = 8bb077e7ecbc7550386a050209e84d6f4d895788
@@ -12,23 +12,24 @@ SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987
 SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450
 SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7
 SHA1 (patch-auth2-chall.c) = 9edd679fc0a1d128786cea8939e804adb400c3c9
-SHA1 (patch-auth2.c) = 831139b9cdbd9b4d3429ea1aba176daf78be3405
+SHA1 (patch-auth2.c) = 8a939381f72968d74a7df508a072dfb10f400284
 SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa
 SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e
 SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219
 SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea
 SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02
 SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d
-SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce
-SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695
+SHA1 (patch-loginrec.c) = b06a236e9faf871e9eb102c52dd0f583bf096373
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = 9ccde56bfcfe1791b367f933e51b25137acce960
 SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9
 SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5
 SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6
+SHA1 (patch-sandbox-darwin.c) = a9255b1e8d52759506b61394de11050ea7ea25bb
 SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0
 SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e
-SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd
+SHA1 (patch-sftp-common.c) = 72146d410f78b5e4e5efae51ca05b22039d64545
 SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca
 SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15
-SHA1 (patch-sshd.c) = f84fd4b4d299f75792f31d8967a1f9f6273ff06b
+SHA1 (patch-sshd.c) = d381db6d05067d0f28be8268847df97a0c8e9ba4
 SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a
-SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd
+SHA1 (patch-uidswap.c) = 875be63bb6d1a7dd8c3d1c008c85aa4bf37dfdc2
diff --git a/security/openssh/files/org.openssh.sshd.sb.in b/security/openssh/files/org.openssh.sshd.sb.in
new file mode 100644
index 00000000000..e060377c928
--- /dev/null
+++ b/security/openssh/files/org.openssh.sshd.sb.in
@@ -0,0 +1,23 @@
+;;	$NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
+;;
+;; Copyright (c) 2008 Apple Inc.  All Rights reserved.
+;;
+;; sshd - profile for privilege separated children
+;;
+;; WARNING: The sandbox rules in this file currently constitute
+;; Apple System Private Interface and are subject to change at any time and
+;; without notice.
+;;
+
+(version 1)
+
+(deny default)
+
+(allow file-chroot)
+(allow file-read-metadata (literal "@VARBASE@"))
+
+(allow sysctl-read)
+(allow mach-per-user-lookup)
+(allow mach-lookup
+	(global-name "com.apple.system.notification_center")
+	(global-name "com.apple.system.logger"))
diff --git a/security/openssh/patches/patch-auth2.c b/security/openssh/patches/patch-auth2.c
index f54e65d7f2f..e43029ad95e 100644
--- a/security/openssh/patches/patch-auth2.c
+++ b/security/openssh/patches/patch-auth2.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-auth2.c,v 1.4 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-auth2.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
 
 Replace uid 0 with ROOTUID macro
 
 --- auth2.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ auth2.c
-@@ -302,7 +330,7 @@ userauth_finish(Authctxt *authctxt, int 
+@@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int 
  		fatal("INTERNAL ERROR: authenticated and postponed");
  
  	/* Special handling for root */
diff --git a/security/openssh/patches/patch-loginrec.c b/security/openssh/patches/patch-loginrec.c
index 11bf035bd68..7394d49310d 100644
--- a/security/openssh/patches/patch-loginrec.c
+++ b/security/openssh/patches/patch-loginrec.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-loginrec.c,v 1.3 2015/03/20 22:41:19 rodent Exp $
+$NetBSD: patch-loginrec.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $
 
 Interix support and related fixes. Fix build on FreeBSD.
 
---- loginrec.c.orig	2014-01-17 01:23:24.000000000 +0000
+--- loginrec.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ loginrec.c
 @@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
  int
diff --git a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
index 2d706e37602..e7438d52856 100644
--- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
+++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.1 2013/05/01 19:58:26 imil Exp $
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.2 2015/08/14 08:57:00 jperkin Exp $
 
 Interix support
 
---- openbsd-compat/bsd-openpty.c.orig	2006-08-24 09:52:30.000000000 +0000
+--- openbsd-compat/bsd-openpty.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ openbsd-compat/bsd-openpty.c
 @@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char 
  		return (-1);
diff --git a/security/openssh/patches/patch-sandbox-darwin.c b/security/openssh/patches/patch-sandbox-darwin.c
new file mode 100644
index 00000000000..c19da070152
--- /dev/null
+++ b/security/openssh/patches/patch-sandbox-darwin.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-sandbox-darwin.c,v 1.1 2015/08/14 08:57:00 jperkin Exp $
+
+Support sandbox on newer OSX, from MacPorts.
+
+--- sandbox-darwin.c.orig	2015-07-01 02:35:31.000000000 +0000
++++ sandbox-darwin.c
+@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+ 	struct rlimit rl_zero;
+ 
+ 	debug3("%s: starting Darwin sandbox", __func__);
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++#ifndef SANDBOX_NAMED_EXTERNAL
++#define SANDBOX_NAMED_EXTERNAL (0x3)
++#endif
++	if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
++	    SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
++#else
+ 	if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
+ 	    &errmsg) == -1)
++#endif
+ 		fatal("%s: sandbox_init: %s", __func__, errmsg);
+ 
+ 	/*
diff --git a/security/openssh/patches/patch-sftp-common.c b/security/openssh/patches/patch-sftp-common.c
index 80d7f87e721..c12b4fcf627 100644
--- a/security/openssh/patches/patch-sftp-common.c
+++ b/security/openssh/patches/patch-sftp-common.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-sftp-common.c,v 1.2 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-sftp-common.c,v 1.3 2015/08/14 08:57:00 jperkin Exp $
 
 Include <unistd.h> for strmode(3).
 
---- sftp-common.c.orig	2014-01-09 23:40:45.000000000 +0000
+--- sftp-common.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ sftp-common.c
 @@ -37,6 +37,9 @@
  #include <string.h>
diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c
index 872b92dc08e..24a67203e2f 100644
--- a/security/openssh/patches/patch-sshd.c
+++ b/security/openssh/patches/patch-sshd.c
@@ -1,4 +1,4 @@
-$NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $
+$NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
 
 * Interix support
 * Revive tcp_wrappers support.
@@ -24,9 +24,9 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $
  
  /* variables used for privilege separation */
 +#ifdef HAVE_INTERIX
- int use_privsep = -1;
-+#else
 +int use_privsep = 0;
++#else
+ int use_privsep = -1;
 +#endif
  struct monitor *pmonitor = NULL;
  int privsep_is_preauth = 1;
@@ -47,16 +47,27 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $
  #endif
  }
  
-@@ -714,7 +730,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -714,11 +730,18 @@ privsep_preauth(Authctxt *authctxt)
  		set_log_handler(mm_log_handler, pmonitor);
  
  		/* Demote the child */
 -		if (getuid() == 0 || geteuid() == 0)
++#ifdef  __APPLE_SANDBOX_NAMED_EXTERNAL__
++		/* We need to do this before we chroot() so we can read sshd.sb */
++		if (box != NULL)
++			ssh_sandbox_child(box);
++#endif
 +		if (getuid() == ROOTUID || geteuid() == ROOTUID)
  			privsep_preauth_child();
  		setproctitle("%s", "[net]");
++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
  		if (box != NULL)
-@@ -732,7 +748,7 @@ privsep_postauth(Authctxt *authctxt)
+ 			ssh_sandbox_child(box);
++#endif
+ 
+ 		return 0;
+ 	}
+@@ -732,7 +755,7 @@ privsep_postauth(Authctxt *authctxt)
  #ifdef DISABLE_FD_PASSING
  	if (1) {
  #else
@@ -65,7 +76,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $
  #endif
  		/* File descriptor passing is broken or root login */
  		use_privsep = 0;
-@@ -1485,8 +1501,10 @@ main(int ac, char **av)
+@@ -1485,8 +1508,10 @@ main(int ac, char **av)
  	av = saved_argv;
  #endif
  
@@ -77,7 +88,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $
  
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
-@@ -1915,7 +1933,7 @@ main(int ac, char **av)
+@@ -1915,7 +1940,7 @@ main(int ac, char **av)
  		    (st.st_uid != getuid () ||
  		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
  #else
@@ -86,7 +97,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $
  #endif
  			fatal("%s must be owned by root and not group or "
  			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1938,8 +1956,10 @@ main(int ac, char **av)
+@@ -1938,8 +1963,10 @@ main(int ac, char **av)
  	 * to create a file, and we can't control the code in every
  	 * module which might be used).
  	 */
@@ -97,7 +108,7 @@ $NetBSD: patch-sshd.c,v 1.4 2015/07/09 16:14:23 taca Exp $
  
  	if (rexec_flag) {
  		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
-@@ -2135,6 +2155,25 @@ main(int ac, char **av)
+@@ -2135,6 +2162,25 @@ main(int ac, char **av)
  	audit_connection_from(remote_ip, remote_port);
  #endif
  
diff --git a/security/openssh/patches/patch-uidswap.c b/security/openssh/patches/patch-uidswap.c
index d28e7300566..bb46fb9e080 100644
--- a/security/openssh/patches/patch-uidswap.c
+++ b/security/openssh/patches/patch-uidswap.c
@@ -1,8 +1,8 @@
-$NetBSD: patch-uidswap.c,v 1.3 2014/03/29 09:38:11 taca Exp $
+$NetBSD: patch-uidswap.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $
 
 Interix support
 
---- uidswap.c.orig	2014-01-18 09:43:50.000000000 +0000
+--- uidswap.c.orig	2015-07-01 02:35:31.000000000 +0000
 +++ uidswap.c
 @@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw)
  	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,